Identity Access Management (IAM) is a hot topic and for good reason. After all, restricting access to your data and application is among the most fundamental security measures you can take. Read about the steps Synerise has taken to give users more tools and options for enhancing their IAM policies.
New level of Access Management with Synerise
Synerise AI Growth Ecosystem is an end-to-end experience & continuous intelligence framework that enables infinite use cases & growth scenarios for our clients. Synerise enables businesses to track and gain insights from the interactions they have with their customers – whether it is on the website, mobile app, in offline stores (Bluetooth, WiFi), POS, social media, email, loyalty programs, ERP, live chat and more. Using this wealth of data, businesses can deliver meaningful, engaging experiences and true 1:1 personalization.
Synerise is constantly growing and adding new functionalities through investment in AI and IAM security measures and broader possibilities for mobile-based marketing.
Given the various use cases and magnitude of data that we process every single second, we can provide our partners with secure and convenient access to the platform and data at the same time through, among other things, leading-edge IAM functionality.
Why do we need Identity and Access Management?
The COVID-19 pandemic has caused a lot of changes for every organization, and with the increasing use of cloud platforms as ours, where staff is working remotely from many distant locations, many organizations have been challenged with making sure that access and resources are completely secure.
That’s why IAM is a mission-critical element of any cloud platform and within our Ecosystem it enables every profile owner to control:
- WHO can access your Profile and Data
- WHERE that person/system can access your Profile and Data from
- WHAT kind of data/resources users will be able to access
That’s also why we have evolved our tailored-made IAM module for both platform Users and IAM as a Service to be used within Applications created by our clients, so that they don’t have to use any third-party services since Synerise is one-stop shop that will help anyone achieve any business goals.
IAM as a Service to be used within Applications created by our clients, so that they don’t have to use any third-party services since Synerise is one-stop shop that will help anyone achieve any business goals. ~Krzysztof Czerepak
Why do we need Identity and Access Management?
Thinking about what kind of capabilities you can use to secure access to your Synerise Profile, data and resources? Here you go!
1. Single Sign-On
Let’s start with the Single Sign-On(SSO) feature, which allows you to integrate your existing third-party Identity Provider and enable single sign-on for your users so that they can authenticate with the service they already know and are used to.
Synerise provides Security Assertion Markup Language (SAML) based SSO where you can integrate with any Identity Provider that uses SAML 2.0 protocol, which is a widely accepted standard for exchanging authentication and authorization data between Synerise and Identity Providers such as Microsoft Azure, Google Workspaces, Okta, and more.
With our Single Sign-On you will be able to configure Just-in-Time provisioning and map Identity Provider based roles/groups to user roles available within our platform.
The biggest benefit of SSO is that we eliminate the need for multiple user accounts, the need to remember passwords, setup separate 2FA, manage policies and so on, which makes it more convenient to use and has a positive impact on overall security as we eliminate common risks associated with the need for these elements.
If you are using Microsoft Azure Active Directory you can add Synerise from the Azure App Gallery, for details please follow this tutorial.
Did you know that Microsoft enables you to have password-less sign-in with Azure AD?
2. Native user accounts
For those of you who do not wish to use Single Sign-On we have our native user account capability, which is available for everyone to provision as many user accounts as required since we are not limiting the number of ‘seats’.
It’s worth noting that we distinguish three types of users:
A Guest is any person that has been invited to your profile but does not belong to your company, so you cannot fully control their accounts. To gain control over user accounts you must convert them to be manageable, which means you must prove that you have the power to administer them.
The last type is related to Single Sign-On as these accounts are managed but the control you have over them is limited as you won’t be able to do password resets or 2fa resets on such users.
The table below illustrates operations that are allowed depending on account type:
* - account will be deleted only from Synerise and not from Identity Provider.
Our native accounts have several functionalities that are at the heart of secure access to Profiles and data and we highly encourage you to use all of them to harden user access controls.
3. Timed access for Users
One of the small but often underestimated problems that all of us have is keeping up if all our users require access, this is especially true when we want, for example, to provide someone access for a specific job which usually has a start and an end.
You can define the end date on which user will lose access automatically without need for any offboarding process.
We have a solution to that problem—a timed access feature where you can define the end date on which user will lose access automatically without need for any offboarding process.
4. Two-factor authentication (2FA)
Two-factor authentication is one of the features that we strongly encourage you to configure for our native user accounts since it’s an additional security measure that makes it obligatory for second authentication factor to be used next to login plus password itself.
Whenever you configure two-factor authentication you will enforce 2FA on both Managed and Guest users as the enforcement occurs on Profile level to guarantee that no user can access your profile without an additional account security measure.
5. Customizable Password policies
No matter what kind of password policies you have defined within your organization we enable you to implement them starting with password length, password complexity and additional rules like password expiration, password history or amount of failed login attempts.
6. Tokens and User session
We use JSON Web Tokens (JWT) as part of user authentication, a mechanism that provides security and is the key behind user session lifetime with default token expiration time set for 1 hour. Session refreshes occur automatically for the user based on the policy that has been configured, which is a good compromise between security and usability.
7. Granular permission system
We have created an extensive permission system where you have complete control over what kind of features are being allowed to particular user, api-key or application. The diagram below visualizes how our permission system is organised and it all starts with roles that you can assign to your users where you can either use predefined ones or create as many custom roles as you require.
Each role may enable access to specific feature sets within the platform, which is made possible through Permissions Groups that must be assigned to a role. Permission systems include groups of individual permissions that we have defined that correlate to features available within the platform. Think of it as an abstraction layer that makes it more convenient to configure required access levels without the need to dive into individual permissions and API methods.
You can either use predefined ones or create as many custom roles as you require.
Permissions are the lowest and most granular level and they are related directly to individual API methods available in our system. You can configure such granular access for each of the API keys that you would create. Thanks to this you will be able to define very granular permissions for your integrations or applications, which is very crucial due to security concerns.
8. IP address whitelisting
One of the most important elements you can utilise to secure your profile is to configure IP allow-listing, a feature that makes it mandatory for all users to connect from known IP addresses. With that option you are free to define which locations you want to grant access permission to.
This feature will enforce IP address check on our API gateways and only trusted addresses will have access to profile and data.
Once that option is configured, users coming from IP addresses that are not whitelisted won’t be able to access anything on your profile, including our own support teams.
9. Unknown device control and filtering for untrusted traffic
We have introduced 3 mechanisms to keep our cloud platform secure.
- The first of them is related to controlling sign-ins from previously unknown devices where users receive dedicated emails informing them about any such sign-ins.
- There is also a mechanism to automatically ban any attempts for brute-force type of attacks against user accounts that will lead to a temporary or a permanent ban of any traffic like that.
- Finally, we also have to filter out traffic coming from untrusted locations like TOR network exit nodes or other proxies.
That’s the one of the reasons why you can feel safe and secure by using the Synerise platform to manage your users, customers and all off your events and data.
IAM as a Service
Many partners build various applications that rely on our platform to deliver core functionalities and all of them have one thing in common—they all require authentication. We have a feature-set that has those requirements covered and it’s called IAM Service for Applications, which is our IAM as a Service module that enables you to easily implement our native Registration as a Service or Authentication as a Service capabilities right within your application.
1. Registration as a Service
A key part of our IAM Service is our native account registration feature that you can implement within your own applications through our REST APIs or Mobile SDKs and enable your users to create accounts right
(Customer Data Platform) as profiles of your users and all of activities related to them will be available for use within the platform in real-time.
Whenever you decide to implement the Registration as a Service capability you have full control over account registration mode, where you can either allow for automated account activation or decide to go with email-based activation. You can read more around options available here.
2. Password policies and Sessions
When we talk about the Registration as a Service feature there is one important element that you’ll have to define for your implementation and that’s the password policy. We leave it up to you what kind of policy you want to set for your users.
Both RaaS and AaaS users upon successful sign-in / authentication will be issued with JWT token for their session, that token is by default valid for 1 hour – a value that you can change to meet your own needs anywhere from 5 minutes on.
3. Loyalty programs
Many applications today have some kind of loyalty program. To make it more convenient we have a feature built-in where you can automatically assign loyalty card numbers to created user accounts. You just need to configure pool of card numbers and configure it to be used on account registration / first authentication in case of AaaS).
4. Authentication as a Service
It doesn’t matter if you want to add authentication through social networks or third-party identity providers next to RaaS or without it, we’ve got you covered. You can implement authentication through Apple, Facebook, Google (available June 2021) or other services within your application and use it side by side with native accounts.
When you implement any of the options our system will authenticate users based on external services and issue our own JWT token same way as we do for our native accounts.
5. Access Control
The common concern related to user accounts and application is their security. Every company at some point may become a target for hackers who want to get into user accounts. Securing these accounts is everyone’s priority, especially with regulations like GDPR.
That’s also the reason why we have implemented the following capabilities:
- Unknown device control is a feature that determines the behavior of the authentication of previously unknown devices and allows you to configure three modes of operation: notification to user on sign-in from unknown device, notification to user with need to approve sign-in from unknown device or option to turn that off.
- Fail 2 ban which is a feature that should be used in conjunction to unknown device control as its primary goal is to secure accounts from brute-force type of attacks. When you have fail 2 ban configured, any increased traffic of failed sign-ins will be blocked by us based on the logic you have configured as described in our help article: https://help.synerise.com/docs/settings/identity-access-management/iam-as-a-service/#fail-to-ban-settings
In addition to that we globally block traffic from untrusted locations like TOR networks or abusive hosts (public proxies etc.)